5bbe24c99a6d3de6f7084dbc3c3a38251f5460aebe216ce7cecf5f182e41b62f

Analysis

max time kernel
143s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4582e543a793cd9d06a325321d474ca6_JaffaCakes118.exe
Size

162KB
MD5

4582e543a793cd9d06a325321d474ca6
SHA1

f73f276cc2e429c4060649555ee7d02835155a4b
SHA256

5bbe24c99a6d3de6f7084dbc3c3a38251f5460aebe216ce7cecf5f182e41b62f
SHA512

851bb0ac73a67b94971f38fc1ffc7318db3bc42f47a4d728b8d690c3fcab668b042f5f13029ea32ab20c4001b6d040ae725b4ad658ac9a05b064150559e8a41e
SSDEEP

3072:h22ihA0m3BJf0vsTG8obMLBAA1q9hKX8cSpLWjSFhDztQ51c0Mv8:CA0m3T0vsq85nehKiLWQW51c0ME

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2616	biclient.exe

Loads dropped DLL 1 IoCs

pid	Process
2432	4582e543a793cd9d06a325321d474ca6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4582e543a793cd9d06a325321d474ca6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biclient.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	biclient.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2616	biclient.exe
2616	biclient.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2616	2432	4582e543a793cd9d06a325321d474ca6_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2616	2432	4582e543a793cd9d06a325321d474ca6_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2616	2432	4582e543a793cd9d06a325321d474ca6_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2616	2432	4582e543a793cd9d06a325321d474ca6_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2616	2432	4582e543a793cd9d06a325321d474ca6_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2616	2432	4582e543a793cd9d06a325321d474ca6_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2616	2432	4582e543a793cd9d06a325321d474ca6_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\4582e543a793cd9d06a325321d474ca6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4582e543a793cd9d06a325321d474ca6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\biclient.exe
  "C:\Users\Admin\AppData\Local\Temp\biclient.exe" /url bi.bisrv.com /affid "download123azvi" /id "garenaplusxmlb" /name "garena-plus-" /uniqid 4582e543a793cd9d06a325321d474ca6_JaffaCakes118
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3abd4d658bf99a04e6189b3c1221d113

SHA1
011f118c2e5fc48395decaa4fed6d9dd417f2bb8

SHA256
d724ed572e9d418197790c724b3f0167f342df4ef2ad3d6c9a15d286f456a08c

SHA512
a262fac46f827b24ec44edb5c3076c2944879c6e2de42d300b895238ed4111451e45f6aa3cca9f23bda77a13f55751d075d8e513bd0d582af43213f26ceceeec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcf2148f2659f7e7207b518a02645464

SHA1
7b823b6c49848f36ae338267ae4eee00662efada

SHA256
eac6f5c160b92e684c46e7f0eb261deb8ef4c4c8a52cfd1d4630aaa3b7e1e022

SHA512
31e443f781cf1ccf86fdeaef1ac0a091c2ab7e15926fe2c84d537a481757b28f23fa6d26378e86deb94526cdc490521111e1fab8dd4187a203bdf9b7e976d01a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f33701384e182534d4b5d38724b5f76

SHA1
ec25db8d5385db039c254daeff15d89c2b6c6e84

SHA256
6c145376ce918a7e889709930ea43ca1670fcb7f44e982b77a8e610395ffc3ff

SHA512
ab758bf24a1bb527fd36abbf3c1b5e8bb6f5d4e9bf6a5cd08b798decbff64f12ba08f366740b618b367ffe36a442d27fb42846e9269f50d4071771d04a66cc1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d403d0f90424cfea7e93fb44cc462f75

SHA1
75347602a1104a962015cca91edadf210b20c583

SHA256
7e5e8372f34759df35e65a11cdc191efa9ac06e8a55f872e3f24fa1c1c9f646c

SHA512
65b40129702e8b9c19a9e6d78a142b7251f9bad2c1a016c34fc07ece7d10af36726cb7855f5df78f70203c774fff9818284d511e5e89116a01655500c7762430

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83ad64cdd227d4071f5b8d6997581a15

SHA1
dd332581eaa159b450f48cf3637ce53e97bc3687

SHA256
14475e7d460846b0e7688a09ae620efbf7733eb946df44317096ec5ac37470ef

SHA512
fbeb927106af7b3e6b87fdb034714f56847d4f7262f00dbf5766cd2f19bd682743623cd1405217b886913678fce8dee95c54ef6c69eea84f00ab2a94d4db5285

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b291d0d862bfdcbcafd9902afd9df03e

SHA1
92f73cb0ada5792a6dd0fd622bc967cb1a9e5dde

SHA256
3d1f886a239b413b890f96c793dc5354c75935e67f64654d2f2b6ebf4475b68d

SHA512
1826d5ff3714782e64c93390ec99f3c334514df541394eb3b0e044c24572d0cf760ec405ac2cd90c55beb338e5409c31da4f9573acb828fb1ec8b4a655c5c4df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff48627a76b202dbb008302a42a5c48e

SHA1
b2862982e57978d9d9ec167ccfb1ee2e14d2f0f1

SHA256
49b9629c8db652046806bab2d7857a69aa551c82356702deb36e7da37bddbd76

SHA512
0d126d96e09204a7efe3efaf0bb75654e1a697d983228f8e03230d5546457c171736e5e77304632def5612d2754202728c3acee6dbb3ba97c7ddec0c3f4e084b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac441b776a5f6bb848bf641503866c6d

SHA1
9ef780a70c4e7455bc0cbd7cfac6254fe2fc6143

SHA256
b97ac0ec472779dd49e63cbd046553f859cdee9d5bcdcf8fc34fe27b084623c7

SHA512
17daf3c6ed94c05e27d1efd427380e50b2ea702e8782fa77f828541a32e00eee7f37d8ce79133718f7c00c8a6f204223440e702e95198ac8a29ab7ac7e727635

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd1a8ce5c14c81d324e10627ac724683

SHA1
8e7771caafe95c58f74994dea7f1761a4cf40467

SHA256
8ce63ce69bbf0ae027f6ff7a8cd5abe8ed4b9a84916ff40fe3a146b1a5e4d34f

SHA512
9ba93f9a9455feac68505616db2cc39fc8233fedb412dd307f38e8db0fa5a14fe6b874b0217e4bc15ecaa8ddb1d5fecd97f4511e370de1d5db75e28a843ec208

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF73C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF78D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
98B

MD5
e2150cd8fd0ba855ac75b2263dce6fc1

SHA1
d27c2d72cb777b4e28d8636b0da62dfcee04136b

SHA256
036a688619a33c1bec8eb5c8ee2c6c963d651011bf9c3080d3b307ee83731aaa

SHA512
8f6e8a49f41ea9bbe16ef3de136562fe3cdd7246bc47aba74ea4d85f2157eafe1d423fc68df9e5ff3bbaf0a06554f3497ccc8704d73b10cf811d1a012ef1d88b

Download Submit
\Users\Admin\AppData\Local\Temp\biclient.exe

Filesize
223KB

MD5
ac8f7611f353ca9803fad5ff81900678

SHA1
de33325e686c82c12db1f95f39e94ac746f5b5b5

SHA256
ef72a8db980a2c299006b1c32b6ab0a74fd00dfc131c6ae7f13b392adf4159cc

SHA512
75d7d0a106f8cc02cac734e34a4cccd97d814214c397e2c05eb00b95b4ef87d2ce60e368b8d418a9c5b330b239547d1d9555538b6a2c705040a746bdcb320571

Download Submit
memory/2432-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-16-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2616-471-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download